Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

I need help with time stamp recognition

kjetil
New Member
‎07-06-2012 06:55 AM

Hi.

I've just started with Splunk and need help setting up file input. The log files looks like the below. A header row and one row per event. Each event starts with a number from 0 to whatever, the date, the time and a lot of other fields - all fields separated by semicolon

0;30Jun2012;23:30:00;

567498;1Jul2012;11:26:44;

What I need help with is setting up the recognition. Auto does not work and I'm no too good with regular expressions.

Anyone?

Share and enjoy
Kjetil

Tags (1)
0 Karma
Reply

Ayn
Legend
‎07-06-2012 07:29 AM

It's not regular expressions you need, but rather strftime/strptime style definitions. I usually go to http://strftime.org/ for a quick reference on them - or if the short version there doesn't cover what I want, I do man strftime in a UNIX shell. These definitions should go in the TIME_FORMAT directive in the appropriate section in props.conf. So for your logs it should be something like:

[your_sourcetype]
TIME_FORMAT = %e%b%Y;%H:%M:%S
0 Karma
Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...